How to disable options request handling in iis 7

Document ID : KB000122757
Last Modified Date : 07/12/2018
Show Technical Document Details
Issue:
If vulnerability scans of your ITCM / CA Client Automation server reveal that you have a Options Request Handling vulnerability, this is has to address it.
Environment:
Any Supported Windows environment running ITCM/ITCA Client Automation and IIS 7
Cause:
Security Vulnerability of some Default IIS 7 installations.
Resolution:

HOW TO DISABLE OPTIONS REQUEST HANDLING IN IIS 7

 
  1. On you IIS system, go into Control Panel -> Administrative Tools and select ‘IIS Manager’
  2. Click on the Server name and if not already selected, click on the item called ‘Features View’ to show available icons. (See Image Below)
  3. Find the item called ‘Handler Mappings’, right click on it and select ‘Open Feature’
User-added image
  1. Find the item called ‘OPTIONSVerbHandler’ and double-click to open. (See image below)
  2. Click the button called ‘Request Restrictions’ and then the tab called ‘VERBS’
  3. Add and item called ‘OPTIONS’ if not already there.
  4. Click the ‘Access’ tab next and select ‘none’ and then ‘OK’ twice to complete the process
User-added image
  1. Now close IIS and open an administrative command prompt.
  2. At the command prompt, type the following commands in order:
    1. CAF stop tomcat
    2. iisreset
    3. CAF start tomcat
  3. IIS and ITCM / ITCA Web Services/Console should now be up and running again without the security vulnerability.